CVE-2026-54069
Summary
SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension -- including a compromised legitimate extension via supply chain attack -- can make fully authenticated admin API calls to the SiYuan kernel at 127.0.0.1:6806, enabling data exfiltration, stored XSS injection, and configuration tampering.
Affected Versions
SiYuan <= v3.6.5 (commit 96dfe0bea474). The chrome-extension allowlist remains unfixed as of the latest commit on the fix branch (d7b77d945e0d).
Vulnerability Details
Blanket chrome-extension:// Origin Trust (CWE-346)
In kernel/model/session.go:277, the CheckAuth middleware exempts all chrome-extension:// origins from authentication:
if strings.HasPrefix(origin, "chrome-extension://") {
// skip auth
}
At session.go:284, the request is assigned RoleAdministrator:
c.Set("role", model.RoleAdministrator)
The AccessAuthCode field defaults to an empty string for desktop installs (ContainerStd). When empty, no token validation occurs. This means any Chrome/Chromium extension can make fully authenticated admin API calls to the SiYuan kernel.
The origin check trusts the entire chrome-extension:// scheme rather than validating a specific extension ID, so every installed extension (including those with no explicit host_permissions) can access all admin endpoints.
Proof of Concept
Unauthenticated admin API access via browser extension:
A minimal Chrome extension with only default permissions:
{
"manifest_version": 3,
"name": "SiYuan PoC",
"version": "1.0",
"background": {
"service_worker": "bg.js"
}
}
// bg.js -- runs as chrome-extension://<id>
// No special host_permissions needed; localhost is accessible by default
// 1. Verify admin access
fetch('http://127.0.0.1:6806/api/system/getConf', {
method: 'POST',
headers: {
⚡ Watch CVE-2026-54069
Get an email if CVE-2026-54069 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.61% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 45% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-54069)